Slashdot Mirror

← Back to Stories (view on slashdot.org)

US-CERT Warns of Serious Hole In ActiveX Control From Iconics

Posted by timothy on from the oh-just-a-little-infrastructure-is-all dept.

Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."

7 of 87 comments (clear)

  1. This brings up the question by Attila+Dimedici · · Score: 4, Insightful

    Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

    --
    The truth is that all men having power ought to be mistrusted. James Madison
    1. Re:This brings up the question by rsborg · · Score: 5, Insightful

      Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

      These systems don't have to be on the "internet" in order to be vulnerable. These activex controls are likely deployed internally, probably with adequate security. But networks are porous, and as Stuxnet proved, complex malware can be executed to effect. The issue is that security isn't treated as a process but as a response or feature. Good security takes into account all possible vectors (humans being the biggest).

      --
      Make sure everyone's vote counts: Verified Voting
  2. Controls are a different Beast... by Rogue974 · · Score: 4, Interesting

    I am a Controls Engineer and work with HMI interfaces everyday.

    We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

    Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.

    It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.

    1. Re:Controls are a different Beast... by anchovy_chekov · · Score: 4, Interesting

      You're a very lucky engineer. Back when I was involved in process control - happy days I'm trying to get back to with http://xpca.org/ - so many engineering depts. were under budgetary and business-political pressure to merge their networks with the corporate network and hand over control of the their systems to the better-budgeted (and more politically savvy) IT departments.

      It was madness! Can't control your machinery? Oh, maybe that's because everyone's streaming the Royal Wedding. Too bad.

      I think I've told this story here before but the funniest experience was finding a set of cables hidden along an I-beam, asking about it and then getting grabbed by an engineer and told "Ssh! That's *our* network"

      Seriously, the industry needs an overhaul. We need to get away from the whole OPC / DCOM / ActiveX craziness before some real disaster happens.

  3. Re:Really? by perpenso · · Score: 5, Insightful

    Security wholes in active-x, whodathunkit.

    Perhaps I am mistaken but I think the newsworthiness of this story is not that ActiveX has issues, rather it is that there are a bunch of people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls. ;-)

  4. Re:Really? by cyber-vandal · · Score: 4, Funny

    I read that and immediately thought what fucking idiots would use ActiveX for anything so fucking important. And then I thought fucking hell a bit more.

  5. Re:ActiveX ? I heard you were dead. by Red+Flayer · · Score: 4, Funny

    Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai